Khamphani ea Cloudflare DNS ea sechaba liatereseng:
- 1.1.1.1
- 1.0.0.1
- 2606: 4700: 4700 1111 ::
- 2606: 4700: 4700 1001 ::
Pholisi ena ho thoe ke "Privacy first" e le hore basebelisi ba ka ba le khotso ea kelello mabapi le litaba tsa likopo tsa bona.
Tšebeletso e thahasellisa ka hore, ho phaella ho DNS e tloaelehileng, e fana ka bokhoni ba ho sebelisa theknoloji DNS-over-TLS и DNS-holimo-HTTPS, e tla thibela haholo bafani ho mamela likopo tsa hau tseleng ea likopo - le ho bokella lipalo-palo, ho beha leihlo, ho laola lipapatso. Cloudflare e bolela hore letsatsi la phatlalatso (April 1, 2018, kapa 04/01 ka notation ea Amerika) ha lea khethoa ka tšohanyetso: ke letsatsi lefe le leng la selemo leo "likarolo tse 'nè" li tla hlahisoa?
Kaha bamameli ba Habr ba na le tsebo ea theknoloji, karolo ea setso "ke hobane'ng ha u hloka DNS?" Ke tla e beha qetellong ea poso, empa mona ke tla bua lintho tse sebetsang haholoanyane:
Mokhoa oa ho sebelisa tšebeletso e ncha?
Ntho e bonolo ka ho fetisisa ke ho hlakisa liaterese tsa seva tsa DNS tse kaholimo ho moreki oa hau oa DNS (kapa joalo ka holimo ho li-setting tsa seva ea lehae ea DNS eo u e sebelisang). Na hoa utloahala ho nkela maemo a tloaelehileng sebaka (8.8.8.8, joalo-joalo), kapa tse fokolang hanyenyane (77.88.8.8 le tse ling tse tšoanang le tsona) ho li-server tse tsoang Cloudflare - li tla u etsetsa qeto, empa li bua bakeng sa motho ea qalang lebelo la karabelo, ho latela hore na Cloudflare e potlakile ho feta bahlolisani bohle (ke tla hlakisa: litekanyo li nkiloe ke tšebeletso ea motho oa boraro, 'me lebelo ho mofani ea itseng, ha e le hantle, le ka fapana).
Hoa thahasellisa haholo ho sebetsa ka mekhoa e mecha eo kopo e fofelang ho seva ka khokahanyo e patiloeng (ha e le hantle, karabo e khutlisetsoa ka eona), DNS-over-TLS le DNS-over-HTTPS e boletsoeng. Ka bomalimabe, ha li tšehetsoe "ho tsoa lebokoseng" (bangoli ba lumela hore sena se "leha ho le joalo"), empa ha ho thata ho hlophisa mosebetsi oa bona ho software ea hau (kapa esita le ho hardware ea hau):
DNS holim'a HTTPs (DoH)
Joalo ka ha lebitso le fana ka maikutlo, puisano e etsahala ka mocha oa HTTPS, ho bolelang
- boteng ba sebaka sa ho fihla (bofelo) - se fumaneha atereseng le
- moreki ea ka romellang likopo le ho amohela likarabo.
Likopo li ka ba ka sebopeho sa DNS Wireformat se hlalositsoeng ho (e rometsoe ho sebelisoa mekhoa ea POST le GET HTTP), kapa ka mokhoa oa JSON (ho sebelisoa mokhoa oa GET HTTP). Ho 'na ka bonna, mohopolo oa ho etsa likopo tsa DNS ka likopo tsa HTTP o ne o bonahala o sa lebelloa, empa ho na le thollo e utloahalang ho eona: kopo e joalo e tla feta lits'ebetso tse ngata tsa ho sefa sephethe-phethe, likarabo tsa ho bala li bonolo haholo, mme ho hlahisa likopo ho bonolo le ho feta. Lilaebrari tse tloaelehileng le li-protocol li ikarabella bakeng sa ts'ireletso.
Kopa mehlala, ka kotloloho ho tsoa litokomaneng:
FUMANA kopo ka sebopeho sa DNS Wireformat
$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031POST Kopo ka sebopeho sa DNS Wireformat
$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
Hoa tšoana empa ho sebelisa JSON
$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "example.com.",
"type": 1
}
],
"Answer": [
{
"name": "example.com.",
"type": 1,
"TTL": 1069,
"data": "93.184.216.34"
}
]
}Ho hlakile hore router ea lapeng e sa tloaelehang (haeba bonyane e le 'ngoe) e ka sebetsa le DNS ka tsela ena, empa sena ha se bolele hore tšehetso e ke ke ea hlaha hosane - mme, ho khahlisang, mona re ka kenya tšebetsong ts'ebetso le DNS ts'ebelisong ea rona (joalo ka , ho li-server tsa Cloudflare feela).
DNS ka TLS
Ka mokhoa o ikhethileng, lipotso tsa DNS li fetisoa ntle le ho ngoloa. DNS holim'a TLS ke mokhoa oa ho li romella ka khokahanyo e sireletsehileng. Cloudflare e ts'ehetsa DNS holim'a TLS ho boema-kepe bo tloaelehileng ba 853 joalo ka ha ho laetsoe . Sena se sebelisa setifikeiti se fanoeng bakeng sa moamoheli oa cloudflare-dns.com, TLS 1.2 le TLS 1.3 lia tšehetsoa.
Ho theha khokahano le ho sebetsa ho latela protocol ho ea tjena:
- Pele a theha khokahano ea DNS, moreki o boloka base64 encoded SHA256 hash ea setifikeiti sa TLS sa cloudflare-dns.com (se bitsoang SPKI)
- Moreki oa DNS o theha khokahano ea TCP ho cloudflare-dns.com:853
- Moreki oa DNS o qala TLS ho ts'oarana ka matsoho
- Nakong ea ts'ebetso ea TLS ea letsoho, moamoheli oa cloudflare-dns.com o fana ka setifikeiti sa eona sa TLS.
- Hang ha khokahano ea TLS e se e thehiloe, moreki oa DNS a ka romella likopo tsa DNS ka kanale e sireletsehileng, e thibelang likopo le likarabo hore li se ke tsa utluoa le ho qhekelloa.
- Lipotso tsohle tsa DNS tse rometsoeng ka khokahanyo ea TLS li tlameha ho lumellana le .
Mohlala oa kopo ka DNS holim'a TLS:
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 msKhetho ena e bonahala e sebetsa hantle bakeng sa li-server tsa DNS tsa lehae tse sebeletsang litlhoko tsa marang-rang a lehae kapa mosebelisi a le mong. 'Nete, ka ts'ehetso ea maemo ha e ntle haholo, empa - a re tšepeng!
Mantsoe a mabeli a hlalosang hore na moqoqo o bua ka eng
Kgutsufatso DNS e emetse Domain Name Service (kahoo ho re "DNS service" ha e na thuso, khutsufatso e se e ntse e na le lentsoe "service"), 'me e sebelisoa ho rarolla mosebetsi o bonolo - ho utloisisa hore na aterese ea IP eo lebitso le itseng la moamoheli le nang le eona. Nako le nako ha motho a tobetsa sehokelo, kapa a kenya aterese bareng ea aterese ea sebatli (e re, ntho e kang ""), komporo ea motho e leka ho fumana hore na ke seva sefe se ka romellang kopo ea ho fumana litaba tsa leqephe. Tabeng ea habrahabr.ru, karabo e tsoang ho DNS e tla ba le pontšo ea aterese ea IP ea seva sa websaete: 178.248.237.68, 'me joale sebatli se se se ntse se leka ho ikopanya le seva ka aterese e boletsoeng ea IP.
Ka lehlakoreng le leng, seva sa DNS, ha se se se fumane kopo ea "IP address ea moamoheli ea bitsoang habrahabr.ru ke efe?", E etsa qeto ea hore na e tseba letho ka moamoheli ea boletsoeng. Haeba ho se joalo, e etsa kopo ho li-server tse ling tsa DNS lefatšeng, 'me, mohato ka mohato, e leka ho fumana karabo ea potso e botsitsoeng. Ka lebaka leo, ha u fumana karabo ea ho qetela, lintlha tse fumanoeng li romelloa ho moreki ea ntseng a li emetse, 'me li bolokiloe ka har'a cache ea seva ea DNS ka boeona, e tla u lumella ho araba potso e tšoanang kapele haholo nakong e tlang.
Bothata bo tloaelehileng ke hore, pele, data ea potso ea DNS e fetisoa ka mokhoa o hlakileng (e fanang ka mang kapa mang ea nang le phihlello ea phallo ea sephethephethe bokhoni ba ho arola lipotso tsa DNS le likarabo tseo ba li fumanang ebe ba li hlalosetsa merero ea bona; bokhoni ba ho shebisa lipapatso ka nepo bakeng sa moreki oa DNS, tse ngata haholo!). Taba ea bobeli, li-ISP tse ling (re ke ke ra supa ka menoana, empa e seng tse nyane ka ho fetesisa) li na le ho bonts'a lipapatso ho fapana le leqephe le le leng kapa le leng le kopiloeng (le kentsoeng ts'ebetsong habonolo feela: sebakeng sa aterese ea IP e boletsoeng bakeng sa potso ea habranabr.ru. lebitso la moamoheli, motho ea sa reroang Kahoo, aterese ea seva sa marang-rang ea mofani e khutlisoa, moo leqephe le nang le papatso le fanoang teng). Taba ea boraro, ho na le bafani ba phihlello ea Marang-rang ba sebelisang mokhoa oa ho phethahatsa litlhoko tsa ho thibela libaka tsa batho ka bomong ka ho fetola likarabo tse nepahetseng tsa DNS mabapi le liaterese tsa IP tsa lisebelisoa tsa marang-rang tse koetsoeng ka aterese ea IP ea seva ea bona e nang le maqephe a stub (ka lebaka leo, ho fihlella liwebsaete tse joalo li rarahane ho feta), kapa atereseng ea proxy ea hau e sebetsang ho sefa.
Mohlomong sena e lokela ho ba setšoantšo se tsoang sebakeng sa marang-rang. , e sebelisetsoang ho hlalosa khokahano ea ts'ebeletso. Bangoli ba bonahala ba itšepa haholo ka boleng ba DNS ea bona (leha ho le joalo, ho thata ho lebella eng kapa eng ho tloha Cloudflare):
Motho a ka utloisisa ka botlalo Cloudflare, moetsi oa ts'ebeletso: ba fumana bohobe ba bona ka ho boloka le ho nts'etsapele e 'ngoe ea marang-rang a tsebahalang ka ho fetisisa a CDN lefatšeng (e leng mesebetsi e sa akarelletseng feela ho aba litaba, empa hape le libaka tsa ho amohela DNS), mme, ka lebaka la takatso ea bao, ya sa rutehang hantle, ruta bao bao ba sa mo tsebeng, ho seo moo u lokelang ho ea teng marang-rang a lefats'e, hangata o na le bothata ba ho thibela liaterese tsa li-server tsa bona ho tloha ha re re ke mang - kahoo ho ba le DNS e sa angoeng ke "mehoo, liloli le li-scribbles" bakeng sa k'hamphani ho bolela kotsi e fokolang khoebong ea bona. 'Me melemo ea tekheniki (e nyenyane, empa e ntle: haholo-holo, bakeng sa bareki ba DNS Cloudflare ea mahala, ho ntlafatsa lirekoto tsa DNS tsa lisebelisoa tse tšoaroang ho li-server tsa DNS tsa k'hamphani e tla ba hang-hang) ho etsa hore ts'ebeletso e hlalositsoeng posong e khahle le ho feta.
Ke basebelisi ba ngolisitsoeng feela ba ka kenyang letsoho phuputsong. ka kopo.
A na u tla sebelisa tšebeletso ee e ncha?
-
E, ka ho e hlakisa feela ho OS le / kapa ho router
-
E, 'me ke tla sebelisa mekhoa e mecha (DNS holim'a HTTPs le DNS holim'a TLS)
-
Che, ke na le li-server tse lekaneng tsa hajoale (ena ke mofani oa sechaba: Google, Yandex, joalo-joalo)
-
Che, ha ke tsebe le hore na ke sebelisa eng hona joale
-
Ke sebelisa DNS ea ka e iphetang ka kotopo ea SSL ho bona
Basebelisi ba 693 ba khethile. Mosebedisi a le 191 o hanne.
Source: www.habr.com